On Sun, May 3, 2026 at 11:33 PM Zygmunt Krynicki <[email protected]> wrote: > > unpack_pdb() may need to allocate a missing ACCEPT2 table for older policy > data. If that allocation failed, it set an error message but jumped to the > success path, returning a policydb with the required table missing. > > Return -ENOMEM through the normal failure path when the ACCEPT2 allocation > fails. Remove the now-unused out label. > > Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") > > Signed-off-by: Zygmunt Krynicki <[email protected]> > --- > security/apparmor/policy_unpack.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/security/apparmor/policy_unpack.c > b/security/apparmor/policy_unpack.c > index 9f45d5513d2ca..9084d3d0cffdc 100644 > --- a/security/apparmor/policy_unpack.c > +++ b/security/apparmor/policy_unpack.c > @@ -1054,7 +1054,8 @@ static int unpack_pdb(struct aa_ext *e, struct > aa_policydb **policy, > pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, > GFP_KERNEL); > if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) { > *info = "failed to alloc dfa flags table"; > - goto out; > + error = -ENOMEM; > + goto fail; > } > pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents; > pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags; > @@ -1079,7 +1080,6 @@ static int unpack_pdb(struct aa_ext *e, struct > aa_policydb **policy, > * - move free of unneeded trans table here, has to be done > * after perm mapping. > */ > -out: > *policy = pdb; > return 0; > > -- > 2.53.0 > >
A search for usage of the ACCEPT2 table turned up file.c:aa_lookup_condperms, which dereferences the table through the ACCEPT_TABLE2 macro without checking if it is NULL first. Thus, this appears to be a lurking NULL pointer dereference. Reviewed-by: Ryan Lee <[email protected]>
